[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

On 3/29/13, Scott Noel-Hemming <frogstarr78 at gmail.com> wrote:
>> Some of us have both publicly-facing authoritative DNS, and inward
>> facing recursive servers that may be open resolvers but can't be
>> found via NS entries (so the IP addresses of those aren't exactly
>> publicly available info).
> Sounds like your making the faulty assumption that an attacker would use
> normal means to find your servers.

A distributed scan of the entire IPv4 space for all internet IPs
running open DNS servers is fairly doable;  actually a long term scan
taking 100 to 200 days of continuous DNS scanning  is completely

The fact a recursive DNS server exists at a certain IP address can
also be exposed to the operators of authoritative (or root) DNS
servers, through the queries that the recursive servers make.

For example:  an internet advertiser can place syndicated ads on
certain websites, containing images referring to a server on their
domain (that requires resolving their domain),  and then mine data
from the IP addresses that are contacting their authoritative DNS
servers in order to make queries.

For some domains, the authoritative DNS servers might even want to
ping the recursor, and use the result to decide what set of answers to
send for future queries,  in order to reply with choices that are
anticipated to minimize latency.